Closed Bug 986664 Opened 7 years ago Closed 7 years ago

Make Android FxAccountClient* HAWK requests always include request payload hash

Categories

(Firefox for Android :: Android Sync, defect, P3)

All
Android
defect

Tracking

()

RESOLVED FIXED
Firefox 31
Tracking Status
firefox29 --- affected
firefox30 --- affected
firefox31 --- fixed
fennec 29+ ---

People

(Reporter: nalexander, Assigned: nalexander)

References

Details

Component: Server: Firefox Accounts → Android Sync
Product: Mozilla Services → Android Background Services
rnewman: this should be tracking 29, but I don't have permissions (!?).
Flags: needinfo?(rnewman)
tracking-fennec: --- → 29+
To be precise, the requests should always *provide* payload verification hashes. HAWK clients don't have a way to ask the server to verify payloads or not (that's the server's decision). Also, we should be clear that this isn't about having the client verify *responses*, which is another option in the HAWK world (which we don't use).

It's only about having requests include a "hash=" attribute in the "Authorization:" header, which contains a hash of the payload. The current code only does this for a few (one?) kinds of requests; the desired behavior is to do it for all POSTs.
warner: Roger that.  This will mean making FxAccountClient.RequestDelegate set the boolean based on the request method (or similar).
Flags: needinfo?(rnewman)
Summary: Make Android FxAccountClient* HAWK requests always request payload verification → Make Android FxAccountClient* HAWK requests always include request payload hash
Priority: P1 → P3
The PR in Bug 985766 is, in fact, addressing this ticket.  Will update the bug number before landing.
Well, that was a bumpy landing.

https://hg.mozilla.org/integration/fx-team/rev/4a44ad0248ba
Status: NEW → ASSIGNED
https://hg.mozilla.org/mozilla-central/rev/4a44ad0248ba
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 31
Product: Android Background Services → Firefox for Android
You need to log in before you can comment on or make changes to this bug.